Re: SOX compliant .. different password policy need for privil
- From: "Andrei Ungureanu [MVP]" <contact me via www.itboard.ro>
- Date: Tue, 3 Oct 2006 16:25:45 +0300
yeap, now I agree :)
--
Regards,
Andrei Ungureanu
www.eventid.net
Test our new EventReader!
http://www.altairtech.ca/eventreader/default2.asp?ref=au
"steve_t" <stevet@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:76AF7E01-230F-4509-B255-2F6EEA488C85@xxxxxxxxxxxxxxxx
I agree. I wasn't even thinking about the administrator account in the
current forest root. So a more thorough answer would be to create a new
domain tree or child domain, have the password policy for the new domain
match the existing domain, move all user accounts to the new domain,
modify
the password policy on the forest root domain to meet the SOX
requirements,
and force all administrative accounts to reset their passwords under the
new
requirements. One issue you will continue to have is that the default
admin
account on the new domain will only require a password that meets the less
strict requirements of that domain, but I'm not sure how to get around
that.
Steve
"Andrei Ungureanu [MVP]" wrote:
I belive that he needs to move all the accounts to the new created domain
and keep the privileged accounts in the existing domain (after all this
is
the forest root domain that contains the Enterprise Admins group).
--
Regards,
Andrei Ungureanu
www.eventid.net
Test our new EventReader!
http://www.altairtech.ca/eventreader/default2.asp?ref=au
"steve_t" <stevet@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:E69D3AFE-322C-42FB-8E4A-F72C8B608968@xxxxxxxxxxxxxxxx
Creating a new domain tree in the forest should work. You're correct
that
it's not really an empty root implementation, but it should work for
what
you
want to do. Create a new domain tree in the forest with the new
password
policy. You can use the MoveTree utility
(http://support.microsoft.com/default.aspx?scid=kb;EN-US;q238394) to
move
the
privileged accounts from the current domain to the new one, or you can
create
new privileged accounts in the new domain. (If you move the accounts
from
the
original domain, I believe the new password policy will not come into
effect
untly the next time the password is reset). Either way, add the
privileged
users to the Enterprise Administrators group in the forest root domain,
and
they will have administrative privileges throughout the enterprise. You
can
keep their non-privileged accounts in the original domain with the
original
password policy - your administrators have non-privileged accounts for
everyday use, of course...right? :-)
Hope this helps.
Steve
"John" wrote:
Hello All
Due to recent SOX requirements we are require to have a different
password
policy for all privilege accounts however our Win2003 forest consist
of a
single domain . We would of like to implement the empty root design
model
in
this way all our privilege accounts would reside in the root domain
and
all
users accounts would reside in the child domain. However this design
model
is not an option since we have currently have a flat single forest
/single
domain and restructuring our forest to include an empty domain would
be
impossible, or is it possible ? .
My question is how do I implement a different password policy for all
my
privilege accounts ?
I had one idea but no sure if this would work. ..Create a non
contiguous
domain tree and this domain will contain all my privilege accounts
thus
using a different password policy. But I would also need these
privilege
accounts to be domain admins of the entire forest , would this work
?
Any idea's would certainly be appreciated
TIA..
John
.
- Follow-Ups:
- References:
- SOX compliant .. different password policy need for privil
- From: John
- Re: SOX compliant .. different password policy need for privil
- From: Andrei Ungureanu [MVP]
- Re: SOX compliant .. different password policy need for privil
- From: steve_t
- SOX compliant .. different password policy need for privil
- Prev by Date: Re: How to copy users accounts from win2k standalone server
- Next by Date: Re: Query Active Directory to show only certain details
- Previous by thread: Re: SOX compliant .. different password policy need for privil
- Next by thread: Re: SOX compliant .. different password policy need for privil
- Index(es):
Relevant Pages
|
